Turnkey phishing

A turnkey home? A turnkey website? How about turnkey phishing? Scammers now sell turnkey phishing services to other scammers. Read on to find out how it works.

Inside the workings of fraud-as-a-service

A scammer these days doesn’t need to know how to write malware or think up sophisticated digital fraud schemes. Today’s scams come prepackaged in the form of fraud-as-a-service (FaaS). The average scammer only needs to search for victims and then drain their wallets — the operator takes care of the rest.

Today, we look at a group that specializes in classifieds-website scams to explain what turnkey phishing is, and how best to defend against it.

Who provides the service?

A gang’s key person is the founder, or topic starter. This guy manages everyone else:

  • Coders, who are responsible for Telegram channels, chats and bots
  • Refunders, or fake support agents
  • Carders, who withdraw money from the victim’s bank account
  • Workers, who find ads, respond, and persuade victims to open a phishing link

That’s what the core lineup of almost any gang looks like. Especially sophisticated outfits also include marketers, motivators and mentors. These run promotional campaigns for the project, and provide moral support to, and training for, workers

The members of a scam gang chiefly communicate via private groups and chats in Telegram. The channel we investigated had around 15,000 members, with just five of them being mentors. Virtually everyone else was a worker — a pawn in this scheme. Read the investigative story on Securelist to find out more about other roles the members of a scam gang have.

The Telegram bot as the workers’ main weapon

Bots help gangs automate most of the scamming process. For example, scammers can use these to create unique, personalized phishing ads. A Telegram bot we discovered churns out as many as 48 ads at a time, in four languages, for six classifieds websites and in two versions: seller scam (2.0) and buyer scam (1.0).

A bot creates links for two types of scam at a time: seller scam (2.0) and buyer scam (1.0)

A bot creates links for two types of scam at a time: seller scam (2.0) and buyer scam (1.0)

Next, a worker uses the Telegram bot to automatically send the links to the victim’s email, instant messaging account or SMS inbox. As soon as a phishing link is opened, the bot displays a message that says “Mammoth online”. This tells the worker that the scam has all but succeeded: the victim has no protection, so the gang is about to pocket their money.

The bot tells the worker everything the victim does — in detail

The bot tells the worker everything the victim does — in detail

Instant notifications about anything that happens is one of Telegram bots’ killer features. Thus, if the victim takes the bait, paying for the “goods” or “delivery”, the worker learns immediately. The bot computes the worker’s share of the booty and shares the name of the carder who’ll withdraw the funds.

"Another one duped!" — the new workers' anthem

“Another one duped!” — the new workers’ anthem

This is the extent of what the worker needs to do, as the money will be credited to their account automatically — unless they’re scammed by their own gangmates, which isn’t unheard of.

How much scam gangs make

The workers are the gang’s cash cows: they pay commissions to the mastermind, mentor, carder and refunder. This project is no doubt a moneymaker: the gang earned more than two million US dollars between August 2023 and June 2024. That’s what the scammers say anyway, but they can declare whatever figures they want, no matter how inflated, in their internal chat to motivate the workers.

A bad day for the scammers — but a happy one for the whole humanity

A bad day for the scammers — but a happy one for the whole humanity

The scam factory’s profits are restricted by banks’ transaction limits. The gang we’re looking at operates out of Switzerland, and local banking rules prevent it from stealing more than 15,000 Swiss francs (approximately 16,700 US dollars) at a time. The workers have a minimum withdrawal amount: they won’t bother with cards if there are less than 300 Swiss francs (333 US dollars) in the associated account; otherwise the costs would exceed the earnings.

Avoiding the trap

Being attacked by turnkey phishing (as opposed to “regular” phishing) makes no difference to the target: the scammers are still scammers, trying all kinds of ways to swindle victims out of their money. But, since FaaS makes the scammers’ work so much easier, this kind of scam is on the rise. Accordingly, the protection tips remain the same as for other types of phishing:

  • Use reliable security to keep you from following phishing links.
  • Take a look at our safe online selling rules.
  • Restrict your chats with sellers and buyers to the classifieds sites; to prevent workers from seeing your personal details, don’t switch to instant messaging apps.
  • Pay for your online purchases only with virtual cards that have transaction limits, and don’t store significant amounts in the accounts linked to those.
  • Read about how other scams work to stay on top of trends.
Tips